#garfield Logs
Jun 16 2022
#garfield Calendar
01:10 AM polprog: rue_shop3: can you put the rom file somewhere?
01:30 AM rue_shop3: hahah
01:30 AM rue_shop3: I'll write something and correct it
01:31 AM rue_shop3: I can give you a copy when I do
01:32 AM polprog: im correcting it now
01:32 AM Tom_L: HAH! caught ya!
01:39 AM rue_shop3: :)
01:40 AM polprog: https://polprog.net/rozne1/ircjunk/various/jetdirect/
01:40 AM polprog: there
01:41 AM rue_shop3: can you binwalk it and see if its MIPS?
01:43 AM polprog: yeah
01:44 AM rue_shop3: I'v not used it before
01:46 AM rue_shop3: it starts with a huge vector table
01:47 AM rue_shop3: I'm wondering if its multicore
01:50 AM polprog: ive put binwalk output in the directory
01:51 AM rue_shop3: "Dump end" ?
01:51 AM rue_shop3: pattern address out of bounds...
01:51 AM rue_shop3: I think there is definitly a reflash util in here
01:52 AM rue_shop3: OMG! coool!!!!
01:55 AM rue_shop3: Partn was not fo
01:55 AM rue_shop3: B7330: 75 6E 64 00 45 45 50 52 - 4F 4D 20 63 6D 64 20 65 und.EEPROM cmd e
01:55 AM rue_shop3: B7340: 72 61 73 65 2F 77 72 69 - 74 65 20 74 6F 20 73 65 rase/write to se
01:55 AM rue_shop3: B7350: 63 74 6F 72 20 30 00 45 - 45 50 52 4F 4D 20 63 6D ctor 0.EEPROM cm
01:55 AM rue_shop3: B7360: 64 20 70 61 72 61 6D 65 - 74 65 72 20 65 72 72 6F d parameter erro
01:55 AM rue_shop3: B7370: 72 00 45 45 50 52 4F 4D - 20 63 6D 64 20 77 68 65 r.EEPROM cmd whe
01:55 AM rue_shop3: B7380: 6E 20 6E 6F 74 20 72 65 - 61 64 79 00 45 45 50 52 n not ready.EEPR
01:55 AM rue_shop3: B7390: 4F 4D 20 65 72 72 6F 72 - 20 77 6F 6E 27 74 20 63 OM error won't c
01:55 AM rue_shop3: B73A0: 6C 65 61 72 00 45 45 50 - 52 4F 4D 20 65 72 61 73 lear.EEPROM eras
01:55 AM rue_shop3: B73B0: 65 20 72 65 71 20 77 68 - 65 6E 20 73 75 73 70 65 e req when suspe
01:55 AM rue_shop3: B73C0: 6E 64 65 64 00 45 45 50 - 52 4F 4D 20 70 63 6F 6E nded.EEPROM pcon
01:55 AM rue_shop3: B73D0: 74 69 6E 20 77 68 65 6E - 20 6E 6F 74 20 73 75 73 tin when not sus
01:55 AM rue_shop3: B73E0: 70 65 6E 64 65 64 00 45 - 45 50 52 4F 4D 20 56 70 pended.EEPROM Vp
01:55 AM rue_shop3: B73F0: 70 20 6C 6F 77 20 65 72 - 72 6F 72 00 45 45 50 52 p low error.EEPR
01:55 AM rue_shop3: B7400: 4F 4D 20 43 6F 6D 6D 61 - 6E 64 20 73 65 71 20 65 OM Command seq e
01:55 AM rue_shop3: B7410: 72 72 6F 72 00 45 45 50 - 52 4F 4D 20 45 72 61 73 rror.EEPROM Eras
01:55 AM rue_shop3: B7420: 65 20 65 72 72 6F 72 00 - 45 45 50 52 4F 4D 20 57 e error.EEPROM W
01:55 AM rue_shop3: B7430: 72 69 74 65 20 65 72 72 - 6F 72 00 45 45 50 52 4F rite error.EEPRO
01:55 AM rue_shop3: there is a terminal for programming it in here
01:57 AM rue_shop3: https://gitee.com/openupf/openupf/blob/226594dd840afc959ccf92dedcf293dfbeb8547d/core/service/fastpass/fp_main.c
01:59 AM polprog: oh neat
02:00 AM rue_shop3: I wonder what the odds are its the same file
02:01 AM polprog: binwalk says this is motorola coldfire
02:01 AM rue_shop3: !!! SWEET
02:02 AM rue_shop3: explains the p68 reference
02:03 AM rue_shop3: https://gcc.gnu.org/onlinedocs/gcc/M680x0-Options.html
02:06 AM polprog: sadly radare does not support coldfire
02:12 AM rue_shop3: it doens't support anything I'v tried to reverse
02:12 AM rue_shop3: I hate it
02:13 AM rue_shop3: I cant get binwalk to extract the images
02:13 AM polprog: im disassembling it as m69k
02:13 AM polprog: m69k
02:13 AM polprog: m68k!!!
02:13 AM rue_shop3: ok
02:13 AM polprog: the entry is at 0x28d0
02:13 AM rue_shop3: ugh, I hate motorola
02:14 AM polprog: https://slideplayer.com/slide/1510438/ slide23
02:14 AM polprog: the vector table makes sense
02:15 AM rue_shop3: :)
02:17 AM polprog: if you can guess what is the original part # for this avago cpu..
02:17 AM polprog: you can then get a datasheet
02:17 AM rue_shop3: hahaha
02:17 AM rue_shop3: well, the package is...
02:17 AM rue_shop3: cross with digikey...
02:17 AM rue_shop3: }:]
02:18 AM polprog: ok time to get breakfast
02:18 AM polprog: did my script to unfuck the endiannes come in handy or did you use yours?
02:19 AM rue_shop3: I used your fixed binary
02:19 AM rue_shop3: :)
02:19 AM rue_shop3: I was going to do something in C
02:19 AM polprog: yay
02:19 AM rue_shop3: this is cool thanks
02:19 AM rue_shop3: oh god its midnight
02:19 AM polprog: hm i think i have the coldfire dev software somewhere, its in demo version
02:19 AM polprog: that was when I was trying to get the dev boards from aandrew working
02:20 AM rue_shop3: so, the network chip on it has no posted datasheet either
02:20 AM rue_shop3: not sure if I'm worried about using the network, but it would be nice
02:21 AM polprog: :)
02:21 AM polprog: ok, breakfast time, bbl
02:21 AM polprog: i gotta study for the exams
02:40 AM rue_mohr: Partn addr out-of-bounds
02:40 AM rue_mohr: Partn signature bad
02:40 AM rue_mohr: Partn type doesn't match specified
02:40 AM rue_mohr: Partn hwid doesn't match specified
02:40 AM rue_mohr: Partn length bad =0 or =1's
02:40 AM rue_mohr: Partn length out-of-bounds
02:40 AM rue_mohr: Partn entry addr bad =0 or =1's
02:40 AM rue_mohr: Partn entry out-of-bounds
02:40 AM rue_mohr: Partn CRC bad
02:40 AM rue_mohr: Partn was not found
02:40 AM rue_mohr: EEPROM cmd erase/write to sector 0
02:40 AM rue_mohr: EEPROM cmd parameter error
02:40 AM rue_mohr: EEPROM cmd when not ready
02:40 AM rue_mohr: EEPROM error won't clear
02:40 AM rue_mohr: EEPROM erase req when suspended
02:40 AM rue_mohr: EEPROM pcontin when not suspended
02:40 AM rue_mohr: EEPROM Vpp low error
02:40 AM rue_mohr: EEPROM Command seq error
02:40 AM rue_mohr: EEPROM Erase error
02:40 AM rue_mohr: EEPROM Write error
02:40 AM rue_mohr: EEPROM cmd unsupported
02:40 AM rue_mohr: EEPROM cmd invalid parameter
02:40 AM rue_mohr: EEPROM erase bad address
02:40 AM rue_mohr: EEPROM erase bad block length
02:40 AM rue_mohr: EEPROM erase bad byte length
02:40 AM rue_mohr: EEPROM write bad address
02:40 AM rue_mohr: EEPROM write bad length
02:40 AM rue_mohr: FLASH Unknown error
03:23 AM rue_mohr: Incomplete f
03:23 AM rue_mohr: C6F00: 69 72 6D 77 61 72 65 20 - 2D 20 6D 75 73 74 20 64 irmware - must d
03:23 AM rue_mohr: C6F10: 6F 77 6E 6C 6F 61 64 00 - 49 64 6C 69 6E 67 20 74 ownload.
03:25 AM rue_mohr: Erasing EEPROM for %s
03:25 AM rue_mohr: ERASE failed for %s with compl=0x%x (%s)
03:25 AM rue_mohr: Locking EEPROM op-queue
03:25 AM rue_mohr: CRCing EEPROM %s
03:25 AM rue_mohr: CRC failed for %s with compl=0x%x (%s)
03:25 AM rue_mohr: Stalling before switch to %s
03:25 AM rue_mohr: Closing before switching to %s
03:25 AM rue_mohr: Closing BP before switching to %s
03:25 AM rue_mohr: Closing FP before switching to %s
03:25 AM rue_mohr: Switching to EEPROM %s
03:25 AM rue_mohr: Running new download %s firmware EEPROM rev: %s
03:25 AM rue_mohr: Switch to EEPROM %s failed with compl=0x%x
03:25 AM rue_mohr: TFTP error
03:26 AM rue_mohr: ... can it download firmware from tftp?
03:26 AM rue_mohr: TFTP error (%s) during programming of %s from file: %s
03:27 AM rue_mohr: .. that big gap in the rom
03:28 AM rue_mohr: I think thats between the bootloader and the main firmware
03:29 AM rue_mohr: load length mismatch between erase scan and code scan
03:29 AM rue_mohr: Erasing EEPROM
03:29 AM rue_mohr: Programming EEPROM %s code from file: %s
03:29 AM rue_mohr: Programming EEPROM %s code - left=%d block=%d - file: %s
03:29 AM rue_mohr: EEPROM programming complete
03:29 AM rue_mohr: WRITE failed for %s with compl=0x%x (%s)
03:30 AM rue_mohr: this is... not.. just firmware for this...
03:30 AM rue_mohr: this was from a 1 port device
03:31 AM rue_mohr: the code is here for a 2 and 3 port (which I have a 3 port)
03:31 AM rue_mohr: and it keeps reffering to itself as a printer, so I THINK this is the same software they use IN the printers
03:31 AM rue_mohr: aka, a printer is internally a parallel port machine, with a built-in jet-direct
03:38 AM rue_mohr: there are a whole bunch of flash test files on here
04:50 AM Tom_L: .
09:18 AM rue_mohr: .
09:26 AM rue_mohr: polprog, here's one to keep you up, I got an HP firmware update file for it
09:26 AM rue_mohr: its not compressed
09:27 AM rue_mohr: the data at 0x200 in the file corresponds to address 0x10000 on the ROM
09:43 AM rue_mohr: it looks like the dump acutally has 3 files in it
09:44 AM rue_mohr: oh no, just differences in versions
09:49 AM polprog: oh thats cool
04:27 PM polprog: slowly makinh something out of that rom
04:44 PM Tom_L: what's 68k got to do with this?
04:52 PM polprog: coldfire is 68k on drugs
05:40 PM polprog: i cant find anything sensible
05:42 PM polprog: peripherals start at 0x0800 0000, ram is probably at 0x0E00 0000
05:42 PM polprog: night
06:06 PM rue_mohr: polprog,
06:06 PM rue_mohr: you awake or asleep?
06:09 PM polprog: awake stil
06:09 PM polprog: sup
06:10 PM rue_mohr: oh, your picking at the firmware then eh?
06:11 PM rue_mohr: I saw a few things
06:11 PM polprog: yeah, but i hit a dead end
06:11 PM rue_mohr: the block at the start is like a bootloader
06:11 PM polprog: yeah, it is
06:11 PM polprog: huuuuge function
06:11 PM rue_mohr: the rest of the rom is divided into virtual "files"
06:11 PM polprog: mm
06:11 PM rue_mohr: that can be loaded via ?
06:11 PM rue_mohr: ftp maybe
06:11 PM polprog: the bootloader jumps to (a0) at the very end
06:11 PM rue_mohr: I got an update file for it (its a 300x)
06:11 PM polprog: there is a number of test functions left
06:12 PM polprog: like, theres a function which writes 0x12345678 to some reserver register
06:12 PM rue_mohr: I think there is a serial terminal in there
06:12 PM rue_mohr: or a special telnet mode
06:12 PM polprog: there are a couple functions that set the Trace bit in status reg (runs Trace ISR every instruction)
06:12 PM rue_mohr: the board uses dram, I'm not sure if there needs to be special hardware initialized for it to work
06:13 PM rue_mohr: ok, so its got single stepping too, cool
06:13 PM polprog: yeah
06:13 PM polprog: you probably need a BDM programmer
06:13 PM rue_mohr: the update file seems to ahve 2 file blocks in it
06:13 PM polprog: for coldfire stuff
06:13 PM rue_mohr: did you see the "file upload test" in the end of the image?
06:13 PM polprog: no
06:14 PM rue_mohr: I think I can mod the firmware update file to install whatever I want
06:14 PM rue_mohr: but I need to know some things
06:14 PM polprog: but im afraid youd need to dig very deep to be able to load your own fake "file" into it (easy) and then jump to it (hard)
06:14 PM rue_mohr: not really
06:14 PM polprog: ok
06:14 PM rue_mohr: the update file isn't compressed or encoded
06:14 PM polprog: im fairly sure that 0x0800 0000 is the watch dog
06:15 PM polprog: init procedure writes incrementing numbers to it starting from 10h
06:15 PM rue_mohr: the model is checked, and the firmware versions, and there is a checksum
06:15 PM rue_mohr: sweet
06:15 PM rue_mohr: or maybe its a dram refresh?
06:15 PM polprog: no, it says watch dog in the coldfire reference manual
06:15 PM rue_mohr: oh cool!
06:15 PM rue_mohr: pdf?
06:16 PM polprog: it writes to a number of registers in the 0x800 0XXX area that arent in the reference, or are reserved, or dont make sense
06:16 PM rue_mohr: ok
06:16 PM rue_mohr: I wonder how hard it is to find the port addresses
06:17 PM rue_mohr: hah, if we overlapped better I think we could really tear this apart
06:17 PM polprog: MCF5307BUM.pdf google that
06:17 PM polprog: i was looking at that
06:18 PM polprog: then just now i found MCF5282UM.pdf
06:18 PM polprog: which has more registers..
06:18 PM rue_mohr: ok
06:19 PM rue_mohr: the update file uses a large space seperated string list for the applicable models
06:19 PM polprog: i saw that yea
06:20 PM rue_mohr: that first function must init all the hardware then eh?
06:20 PM rue_mohr: ram io and ethernet
06:20 PM polprog: yeah, lots of ifs there
06:20 PM polprog: branches
06:21 PM rue_mohr: cool
06:21 PM rue_mohr: I think it can probably stay
06:21 PM polprog: bascially the firmware dump starts with an IVT
06:21 PM rue_mohr: and just change the block it goes to after
06:21 PM polprog: 0x0000 is initial stack, 0x0004 is initial PC
06:21 PM rue_mohr: oh, those are jump commands and not just vector addresses?
06:21 PM polprog: i was trying hard to find a function which uses these hexdump format strings
06:21 PM polprog: no, those are addresses
06:21 PM rue_mohr: ok
06:22 PM rue_mohr: hey
06:22 PM polprog: 00000000: 0087 fff0 0000 28d0 0000 0420 0000 042a
06:22 PM polprog: so the initial function is at 0x0000 28d0
06:22 PM rue_mohr: if the coldfire cpu can do ethernet, why is there an ethernet controller on the board?
06:22 PM polprog: i dont know if it can do ethernet
06:23 PM polprog: anyway so i was saying, i cannot find any function that looks like a printf/puts/putchar
06:23 PM rue_mohr: oh clue
06:23 PM rue_mohr: The MCF5214 and MCF5216 do NOT contain an FEC module.
06:23 PM polprog: i found one - but it doesnt write any registers
06:23 PM rue_mohr: FEC Fast Ethernet Controller
06:23 PM polprog: oh
06:23 PM polprog: did you find out what hides under that avago chip number?
06:24 PM rue_mohr: no
06:24 PM rue_mohr: been sleeping and working
06:25 PM polprog: hm
06:25 PM polprog: i gotta go to sleep now
06:25 PM polprog: but im getting the hang of IDA
06:25 PM rue_mohr: yea, like I say, we dont overlap enough :)
06:26 PM polprog: true :D
06:26 PM polprog: anyway so ill keep picking.. i hope to at least find the uart data register
06:27 PM polprog: then we could patch up the main function to jump to our code that just writes something to uart
06:27 PM rue_mohr: I'm trying to work out how to make a custom firmware update file
06:27 PM polprog: try swapping the gif images first ;)
06:27 PM polprog: anwyay, goodnight
06:27 PM rue_mohr: oh :) sure
06:29 PM rue_mohr: oh, I cant get binwalk to extract them }:/
06:35 PM Tom_L: sleeping at work?
06:39 PM rue_mohr: not yet